You are here

Red Tape

Given the choice, every organization would want secure Web sites and applications from the Web application development phase all the way through the software development life cycle. But why is that such a challenge to attain? The answer is in the processes (or lack thereof) that they have in place.

The dawn of the 21st century saw advances in technology that allowed consumers and businesses to communicate and complete routine and complex transactions using a new vehicle – the internet. This new medium quickly became the status quo for millions of consumers to procure everything from mortgage loans to prescription refills. However, every cloud has a silver lining and a dark side. The dark side quickly materialized in the form of corporate mismanagement scandals, identity theft and privacy violations. New compliance regulations began to take shape in an effort to mitigate these issues. These regulations touch every aspect of a business from financial reporting to firewall configurations.

Controlling access to information and information systems is a fundamental responsibility of information security professionals. The basic need to consume data creates a requirement to provide control over the access necessary to use that data. It is this subject-object interaction that introduces risk that must be mitigated through methodological policy creation and enforcement. Access controls are managed through the provision of rules to grant/deny subjects who intend to access certain objects. These rules can be defined and enforced through a number of means to create a manageable layered control process. The overarching goal of access control is to facilitate the mitigation of risk to the object.

The greatest knowledge is knowing what intellectual property you own, and where it is located on the network. The next greatest knowledge to know is what controls, technology and processes stand between that data and both insiders and outsiders. The way that intellectual property theft happens can come along a number of various tangents. However, the disgruntled employee is fast becoming the avenue of choice for loosing intellectual property. There is at least one excellent example, in the Sony DRM root kit that could provide a viable avenue for the disgruntled employee to take advantage of the network, and its computing systems.